European Banking Federation

General introduction

The European Banking Federation welcomes the opportunity to comment on the draft guidelines suggested by the European Banking Authority (EBA) on the criteria on how to stipulate the minimum amount of the professional indemnity insurance or other comparable guarantees under Article 5(4) of the revised Payment Services Directive (PSD2) for Payment Initiation Services (PIS), Account Information Services (AIS) and Card Issuing Services (CIS) Providers.

Defining the appropriate criteria for a professional insurance (or equivalent guarantee) requires striking the right balance between the sustainability of the modus operandi of PIS/AIS and Card Issuing Services hereafter referred to as “TPPs”), whilst maintaining customers’ and corporates’ trust in European payment services that must continue to offer the highest level of certainty and protection in case of fraud. The PSD2’s objectives, both to secure the global environment, and to promote competition and innovation must therefore be fully met.

The provision of pan-European payment initiation services and account information services cannot be envisaged with 27 different regulatory regimes when it comes to professional indemnity insurances or comparable guarantees. The EBA should therefore seek to it that the forthcoming guidelines are not implemented in a divergent manner by competent authorities, leading to a fragmentation within the European Union that would be particularly damaging for the entire payment ecosystem. Consequently, we would propose that the Guidelines leave no room for varying interpretations and modus operandi.

We would also suggest clarifying, in the final Guidelines, that these requirements do not apply to AS PSPs since their activities and the risks related to them are already covered in their own operational risk management and solvency requirements.

Question 1

Trust in payment systems (and beyond when it comes to data breaches) can be substantially affected if the activity of TPPs is not properly protected by an appropriate insurance or equivalent guarantee. The provision of new types of payment services is expected to grow rapidly as soon as the PSD2 and the EBA RTS have been implemented in the European Union. As a result, an annual review seems at odds with a rapidly changing environment requiring, rather, a quarterly analysis of the TPPs’ business growth (number and amount of transactions, direct losses and fraud rates as well as indirect losses due, for example to data or network breaches). In their own interest, TPPs should be able to cover the losses generated by their activities (in case of major hacking attack for example). A close monitoring of their business volume is therefore crucial.

Guideline 9 should therefore be amended as follows: “When granting the authorisation and/or registration for the undertakings, competent authorities should stipulate that the undertakings review, and if necessary re-calculate, the minimum monetary amount of the PII or comparable guarantee, and that they do so at least on an annual basis, or on a QUARTERLY basis IF THE ACTIVITY INCREASES BY MORE THAN 10% IN A QUARTER. COMPETENT AUTHORITIES MUST CLOSELY MONITOR THE ACTIVITY OF THE AUTHORISED AND/OR SUPERVISED ENTITY”.

It is also quite essential to point out that, in the insurance market, it is common practice to contract policies with franchises, as should a covered event occurs, the insurance coverage will actually take on a lower amount of what could be expected since the policyholder has to bear a net loss. This practice should be taken into account by supervisory authorities because in case of high franchises, the payment services’ provider will be in a very complex financial situation and, most likely, unable to meet its financial obligations. A possible solution would be to set a limit to the franchises in the form of the maximum percentage they may represent on the amount of the policy.
We agree with the EBA that experience in the market for PIS and AIS is very limited. Nor do we know how many entities will enter the market. Thus, we would advocate a flexible approach and shorter terms to review and, if need be, update the professional indemnity insurance (PII) and the equivalent guarantee to the evolution of the TPPs’ activity.
Given the potential exponential growth of the TPPs’ business activity, the key criteria should include:
• the nature of their business relationship (average transaction amount combined with the total volume of transactions); the combination of both criteria is of the essence as the PII must cover single high-value transaction the same way as it covers multiple low-value transactions (€5000 = 100 transactions of a €50 average);
• a different weighting for corporates and individuals;
• the business forecast re-evaluated on a quarterly basis, in line with the quarterly review of the minimum monetary amount of the PII or comparable guarantee as suggested under question 1 for inclusion in Guideline 9;
• the amount of complaints received from the TPPs’ clients (individuals/corporates and merchants) through their respective AS PSPs (payments or data breaches);
• the total amount of unauthorised transactions attributable to the TPP;
• the number of information requests on the TPPs’ client’s payment accounts.

In addition, we would suggest retaining a longer period for previous claims (three years instead of one) to give more resilience to the PII or guarantee retained.
The EBA should also envisage the scenario under which PIS, AIS and maybe CIS are provided by the same entity. In this very particular case (which may become the norm owing to its cumulative benefits), the PII or equivalent guarantee should cover the exponential effect of these activities: when defrauded, criminals’ access to the clients’ data on their revenues and assets coupled with the possibility to initiate payments based on these data.
As stated above, the evolution of the business activity must be closely monitored to ensure that any PII or equivalent guarantee is appropriate at any point in time. The amount of EUR 10 million proposed by the EBA would not cover the case where PISPs handle high transaction amounts, as it would typically be the case for corporate clients. We would therefore suggest introducing a sub-category for corporate customers in the activity criterion.
The activity of payment service providers issuing card-based payment instruments needs to be included in the scope of the forthcoming guidelines as their activity entails equivalent risks.

In general terms, the amount proposed seems rather low in comparison with the risk of initiating payments or aggregating payment accounts. In case of identity theft for example, the damage caused to the victims goes way beyond the mere loss of money due to fraudulent transactions and could extend to loss of property and substantial legal costs to regain possession and all the attributes linked to his or her identity. The moral damage of the victim should not be underestimated either. In this case, the amount proposed is clearly not sufficient. In addition, the provisions of the General Data Protection Regulation (GDPR) Regulation EU 2016/679 should also be taken into account as a company may be fined up to 4% of its global annual turnover or EUR 20 million. We would therefore propose that the formula to be used by the competent authorities be reviewed accordingly.

When calculating the amount reflective of the risk profile criterion for both PIS and AIS, a number of issues have to be taken into account. Among those, the security profile as defined in the security policy document that is part of the application documents for a PISP. This policy should be updated from time to time and should cover potential risk related to security in general terms, but should also explicitly mention cyber security and data breaks’ risks.
• The regime introduced by art. 5 of the PSD2 aims at ensuring a balance in terms of liabilities between account servicing payment service providers and providers offering the services under points 7 and 8 of Annex I of the PSD2, and it directly supporting the overall liability regime introduced by the PSD2 (articles 65 and 89).

• We believe that in order for the regime to be effective, the minimum amount of the insurance or comparable guarantee is not the only relevant criteria. Indeed, especially in an e-commerce environment where third party providers operate from anywhere in the Union, it is central that an AS PSP, having suffered damage be able to bring an action in a different jurisdiction to recover the sums already refunded to its client, especially when the amount of each claim, individually taken, is not significant.

Consequently, not only the amount of the professional indemnity insurance but also the possibility of activating the insurance swiftly on a cross-border basis is fundamental in ensuring the intended effectiveness of the PSD2 liability regime. To this end we believe that the Guidelines should include the provision that competent authorities should ensure that the AS PSP – who already has refunded its unduly debited client’s account – could directly claim on first demand the professional indemnity insurance (or the comparable guarantee) whenever the liable PISP or AISP does not comply with its obligation to compensate the ASPSP immediately.

• Furthermore, information on the professional indemnity insurance (or the comparable guarantee) should be easily available and promptly updated at least in the EBA register of information where references (name, address, etc.) of the Insurance Company of each PIS and AIS provider should be provided.

• Article 71.1 of the PSD2, and in the event of unauthorised or incorrectly executed transactions, payment service users must notify “without undue delay on becoming aware of any such transaction giving rise to a claim, including that under article 89, and no later than 13 months after the debit date”. As a general policy principle, any PII or comparable guarantee must therefore still be valid at least 13 months after the last transaction or account information request.

• Whereas professional indemnity insurance are well-known practices in the business community, the concept of “comparable guarantee” should be clarified. Will such guarantee be held by an independent/supervised entity or a government agency? Such “comparable guarantee” should offer the same protection as the PII to maintain the current level of confidence and security of payments in the European Union.

• Finally, a close cooperation with law enforcement authorities and National/European agencies should also be sought to manage this new activity closely as it will not fail to attract criminals once it is launched in all EU countries.
[Other "]"
Pascale-Marie Brien